There is no simple way to do this, unfortunately. Use a TCP frontend withouth SSL termination, SNI route to different backends that recirculate to traffic to dedicated SSL frontends with different configurations. Something like: frontend port443 ...

Make sure you have dedicated certificates for HTTP/2 and HTTP/1, without overlapping SANs, otherwise SNI routing fails.

Also, yuor backend has to support HTTP/2 for this, as Haproxy doesn’t (so we need to tunnel).